Xaraya xarMLSXML2PHPBackend.php目录遍历漏洞

漏洞信息详情

Xaraya xarMLSXML2PHPBackend.php目录遍历漏洞

• CNNVD编号：CNNVD-200511-498
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2005-3929
  
• 漏洞类型：
  
  
  路径遍历
  
• 发布时间：
  
  2005-11-30
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-11-30
  
• 厂        商：
  
  xaraya
• 漏洞来源：
  rgod rgod@autistic…

Xaraya是Xaraya团队开发的一套开源的内容管理解决方案与开发框架，它包含了创建动态的跨平台内容管理系统所需要的基础模块和工具。

Xaraya的fopen()中存在文件破坏漏洞，可能导致拒绝服务。xarMLSXML2PHPBackend.php中的漏洞代码如下：

…

function create($ctxType， $ctxName)

{

assert(\’\’!empty($this-＞baseDir)\’\’);

assert(\’\’!empty($this-＞baseXMLDir)\’\’);

$this-＞fileName = $this-＞baseDir;

$this-＞xmlFileName = $this-＞baseXMLDir;

if (!ereg(\”^[a-z]+：$\”， $ctxType)) {

list($prefix，$directory) = explode(\’\’：\’\’，$ctxType);

if ($directory != \”\”) {

$this-＞fileName .= $directory . \”/\”;

$this-＞xmlFileName .= $directory . \”/\”;

}

}

$dirForMkDir = $this-＞fileName;

if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir， 0777);

$this-＞fileName .= $ctxName . \”.php\”;

$this-＞xmlFileName .= $ctxName . \”.xml\”;

$xmlFileExists = false;

if (file_exists($this-＞xmlFileName)) {

if (!($fp1 = fopen($this-＞xmlFileName， \”r\”))) {

xarLogMessage(\”Could not open XML input： \”.$this-＞xmlFileName);

}

$data = fread($fp1， filesize($this-＞xmlFileName));

fclose($fp1);

$xml_parser = xml_parser_create();

xml_parse_into_struct($xml_parser， $data， $vals， $index);

xml_parser_free($xml_parser);

$xmlFileExists = true;

} else {

xarLogMessage(\”MLS Could not find XML input： \”.$this-＞xmlFileName);

}

$fp2 = @fopen ($this-＞fileName， \”w\” );

if ($fp2 !== false) {

fputs($fp2， \’\’＜?php\’\’.\”＼n\”);

fputs($fp2， \’\’global $xarML_PHPBackend_entries;\’\’.\”＼n\”);

fputs($fp2， \’\’global $xarML_PHPBackend_keyEntries;\’\’.\”＼n\”);

if ($xmlFileExists) {

foreach ($vals as $node) {

if (!array_key_exists(\’\’tag\’\’，$node)) continue;

if (!array_key_exists(\’\’value\’\’，$node)) $node[\’\’value\’\’] = \’\’\’\’;

if ($node[\’\’tag\’\’] == \’\’STRING\’\’) {

$node[\’\’value\’\’] = str_replace(\’\’＼\’\’\’\’， \’\’＼＼＼\’\’\’\’， $node[\’\’value\’\’]);

$start = \’\’$xarML_PHPBackend_entries[＼\’\’\’\’.$node[\’\’value\’\’].\”\’\’]\”;

} elseif ($node[\’\’tag\’\’] == \’\’KEY\’\’) {

$node[\’\’value\’\’] = str_replace(\’\’＼\’\’\’\’， \’\’＼＼＼\’\’\’\’， $node[\’\’value\’\’]);

$start = ＼

\’\’$xarML_PHPBackend_keyEntries[＼\’\’\’\’.$node[\’\’value\’\’].\”\’\’]\”; } elseif ($node[\’\’tag\’\’] == ＼

\’\’TRANSLATION\’\’) { if ($this-＞outCharset != \’\’utf-8\’\’) {

$node[\’\’value\’\’] = ＼

$GLOBALS[\’\’xarMLS_newEncoding\’\’]-＞convert($node[\’\’value\’\’]， \’\’utf-8\’\’， $this-＞outCharset， ＼

0); }

$node[\’\’value\’\’] = str_replace(\’\’＼\’\’\’\’， \’\’＼＼＼\’\’\’\’， $node[\’\’value\’\’]);

if (!empty($node[\’\’value\’\’])) {

fputs($fp2， $start . \” = \’\’\”.$node[\’\’value\’\’].\”\’\’;＼n\”);

}

}

}

}

fputs($fp2， \”?＞\”);

fclose($fp2);

} else {

xarLogMessage(\”Could not create file： \”.$this-＞fileName);

global $xarML_PHPBackend_entries;

global $xarML_PHPBackend_keyEntries;

if ($xmlFileExists) {

foreach ($vals as $node) {

if (!array_key_exists(\’\’tag\’\’，$node)) continue;

if (!array_key_exists(\’\’value\’\’，$node)) $node[\’\’value\’\’] = \’\’\’\’;

if ($node[\’\’tag\’\’] == \’\’STRING\’\’) {

$node[\’\’value\’\’] = str_replace(\’\’＼\’\’\’\’， \’\’＼＼＼\’\’\’\’， $node[\’\’value\’\’]);

$entryIndex = $node[\’\’value\’\’];

$entryType = \’\’string\’\’;

} elseif ($node[\’\’tag\’\’] == \’\’KEY\’\’) {

$node[\’\’value\’\’] = str_replace(\’\’＼\’\’\’\’， \’\’＼＼＼\’\’\’\’， $node[\’\’value\’\’]);

$entryIndex = $node[\’\’value\’\’];

$entryType = \’\’key\’\’;

} elseif ($node[\’\’tag\’\’] == \’\’TRANSLATION\’\’) {

if ($this-＞outCharset != \’\’utf-8\’\’) {

$node[\’\’value\’\’] = ＼

$GLOBALS[\’\’xarMLS_newEncoding\’\’]-＞convert(

来源: BID

名称: 15623

链接:http://www.securityfocus.com/bid/15623

来源: BUGTRAQ

名称: 20051129 Xaraya <= 1.0.0 RC4 D.O.S / file corruption

链接:http://www.securityfocus.com/archive/1/archive/1/418087/100/0/threaded

来源: MISC

链接:http://rgod.altervista.org/xaraya1DOS.hmtl

来源: BUGTRAQ

名称: 20051130 Re: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption

链接:http://www.securityfocus.com/archive/1/archive/1/418209/100/0/threaded

来源: BUGTRAQ

名称: 20051130 Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption

链接:http://www.securityfocus.com/archive/1/archive/1/418191/100/0/threaded

来源: VUPEN

名称: ADV-2005-2665

链接:http://www.frsirt.com/english/advisories/2005/2665

来源: SREASON

名称: 217

链接:http://securityreason.com/securityalert/217

来源: SECUNIA

名称: 17788

链接:http://secunia.com/advisories/17788